Protect Deep Security Agent

If you have enabled manager-initiated communication (see Agent-manager communication), and by extension, manager-initiated activation, you can protect the agent from unauthorized managers by only allowing it to connect with a specific known, trustedDeep Security Manager.

Bind Deep Security Agent to a specific Deep Security Manager

During agent-manager communications, Deep Security Agent can authenticate the identity of its manager. It does this by comparing your trusted manager's certificate to the connecting manager's certificate. If they don't match, manager authentication fails and the agent won't connect.

This prevents agents from activating with or connecting to a malicious server that is pretending to be your Deep Security Manager. This is recommended especially if agents connect through an untrusted network such as the Internet.

To do this, you must configure each agent with the trusted manager's server certificate so that they can recognize their authorized manager before they try to connect.

If you reset or deactivate an agent, it deletes the Deep Security Manager certificate. Repeat these steps if you want to reactivate the agent.

  1. On Deep Security Manager, run the command to export its server certificate:

    dsm_c -action exportdsmcert -output ds_agent_dsm.crt [-tenantname TENANTNAME | -tenantid TENANTID]

    where:

    • ds_agent_dsm.crt is the name of the manager's server certificate.

      You must use this exact file name. You cannot rename it.
    • -tenantname TENANTNAME is the name of a Deep Security tenant. If the Deep Security Manager is multi-tenant, either this or the -tenantid parameter is required. See also Set up a multi-tenant environment.
    • -tenantid TENANTID is the ID of a tenant.

    If you have multiple tenants, run the command to export the first tenant's certificate, like this:

    dsm_c -action exportdsmcert -output ds_agent_dsm.crt -tenantname TENANT1

    and then continue to the next step. (Don't run the export command again for TENANT2 and others until you are finished with the certificate for TENANT1. The command will overwrite the file.)

  2. On each agent's computer, put the ds_agent_dsm.crt file in this folder:

    • Windows: %ProgramData%\Trend Micro\ Deep Security Agent\dsa_core
    • Linux: /var/opt/ds_agent/dsa_core

    If you have multiple tenants, copy each tenant's certificate file only to its own agents. Agents cannot be activated by other tenants.

  3. If you have a multi-tenant Deep Security Manager, repeat the previous 2 steps for each tenant.
Initially, after completing these steps, the agent enters a 'pre-activated' state. Until the agent is fully activated, operations initiated by other Deep Security Managers or by entering commands to the agent via dsa_control do not work. This is intentional. Normal operation resumes upon activation.